-
-
Notifications
You must be signed in to change notification settings - Fork 418
Run a Wireguard VPN server on UDM Pro
Run a Wireguard VPN server on UDM Pro and provide external clients access to network resources behind UDM Pro - classic road warrior / home network access scenario.
The menu steps indicated here refer to UDM Pro Firmware 1.9.3, with the "new" interface active.
- In the Network App, go to "Settings" -> "Networks" -> "Add new network"
- Provide a name: "VLAN240 Wireguard VPN"
- Enter a VLAN number: "240"
- Under "Advanced", select "DHCP Mode": "None"
- In the Network App, go to "Settings" -> "Advanced Features" -> "Advanced Gateway Settings" -> "Create New Portforwarding"
- Provide a name: "Wireguard VPN"
- Enable forward rule
- From: "Any"
- Port: 51820
- Forward IP: "192.168.240.1"
- Forward Port: 51820
- Protocol: UDP
With this, UDM Pro will automagically establish a firewall rule on the "Internet" interface to open this port.
You will create three rules in this example.
- Forward packets from WAN interface to VPN gateway address
- Allow access of VPN clients to all private networks
- Allow all private networks to access VPN clients
You may also decide to apply more strict rules for #2 and #3, limiting access to certain VLANs as an example.
Before creating the firewall rules, let's do some homework to make things easier.
You will create three new groups:
- IP Address of your VPN server,
- Port used by Wireguard and
- A network group covering all private networks
- In the Network App, go to "Settings" -> "Security" -> "Internet Threat Management" -> "Firewall"
- Click "Create New Group"
- Name: "Wireguard VPN Server IP 192.168.240.1"
- Type: "IPv4 Address / Subnet"
- "Add Address" -> "192.168.240.1"
- In the Network App, go to "Settings" -> "Security" -> "Internet Threat Management" -> "Firewall"
- Click "Create New Group"
- Name: "Wireguard VPN Port 51820"
- Type: "Port Group"
- "Add Port" -> "51820"
- In the Network App, go to "Settings" -> "Security" -> "Internet Threat Management" -> "Firewall"
- Click "Create New Group"
- Name: "RFC1918 (All Private Networks)"
- Type: "IPv4 Address / Subnet"
- Click three times "Add Address" ->
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
- In the Network App, go to "Settings" -> "Security" -> "Internet Threat Management" -> "Firewall"
- Click "Create New Rule"
- Type: "Internet Local"
- Description: "WG: allow incoming VPN traffic"
- Enabled: oh yes
- Rule Applied: "Before predefined rules"
- Action: "Accept"
- IP4 protocol: "UDP"
- Source
- Type: "Address/Port Group",
- "Any",
- "Any"
- Destination:
- "Address/Port Group",
- "Wireguard VPN Server IP 192.168.240.1",
- "Wireguard VPN Port 51820"
- In the Network App, go to "Settings" -> "Security" -> "Internet Threat Management" -> "Firewall"
- Click "Create New Rule"
- Type: "Internet Local"
- Description: "WG: allow access to intranet"
- Enabled: oh yes
- Rule Applied: "Before predefined rules"
- Action: "Accept"
- IP4 protocol: "UDP"
- Source
- Source Type: "Network",
- Network: "VLAN240 Wireguard VPN",
- Network Type: "IPv4 Subnet"
- Destination:
- Destination Type: "Address/Port Group",
- IPv4 Address Group: "RFC1918 (All Private Networks)",
- Port Group: "Any"
- In the Network App, go to "Settings" -> "Security" -> "Internet Threat Management" -> "Firewall"
- Click "Create New Rule"
- Type: "Internet Local"
- Description: "WG: allow access to VPN clients"
- Enabled: oh yes
- Rule Applied: "Before predefined rules"
- Action: "Accept"
- IP4 protocol: "UDP"
- Source:
- Source Type: "Address/Port Group",
- IPv4 Address Group: "RFC1918 (All Private Networks)",
- Port Group: "Any"
- Destination:
- Destination Type: "Network",
- Network: "VLAN240 Wireguard VPN",
- Network Type: "IPv4 Subnet"
Create file /mnt/data/wireguard/wg0.conf
[Interface]
PrivateKey=c<your private server key here>I=
ListenPort = 51820
#Peer Number 1
[Peer]
PublicKey = O<peer number one's public key here>=
AllowedIPs = 192.168.240.2/32
Create file /mnt/data/on_boot.d/20-wireguard.sh
#!/bin/sh
CONTAINER=wireguard
# Starts a wireguard container that is deleted after it is stopped.
# All configs stored in /mnt/data/wireguard
if podman container exists ${CONTAINER}; then
podman start ${CONTAINER}
else
podman run -i -d --rm --net=host --name ${CONTAINER} --privileged \
-v /mnt/data/wireguard:/etc/wireguard \
-v /dev/net/tun:/dev/net/tun \
-e LOG_LEVEL=info -e WG_COLOR_MODE=always \
masipcat/wireguard-go
fi
Execute sh /mnt/data/on_boot.d/20-wireguard.sh
All config file look similar:
[Interface]
PrivateKey = u<the private client key goes here>=
Address = 192.168.240.2/32
DNS = 192.168.240.1
[Peer]
PublicKey = u<the public client key goes here>=
AllowedIPs = 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
Endpoint = <your public server IP / DNS name goes here>:51820
The AllowedIPsparameter defines, which IP addresses will be routed over VPN. If you provide 0.0.0.0/0here, all traffic will be routed through VPN.
The DNSparameter can be used to forward all DNS queries to your pi-hole running on your UDM Pro. Very convenient.
When all is set and done, reload the config
#podman exec -it wireguard wg setconf wg0 /etc/wireguard/wg0.conf
You can check if everything is up and running by calling
# podman exec -it wireguard wg show
The result should look like this:
interface: wg0
public key: u<some gibberish>M=
private key: (hidden)
listening port: 51820
peer: O6NL2urOlkDAQ/QYF7/iC+e1Vinw83pG0yTegEbV3x4=
endpoint: 81.182.61.44:5536
allowed ips: 192.168.240.2/32
latest handshake: 3 seconds ago
transfer: 1.25 KiB received, 1.82 KiB sent